package com.goldgov.kduck.config;

import io.swagger.annotations.Authorization;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.vote.AffirmativeBased;
import org.springframework.security.config.annotation.ObjectPostProcessor;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
import org.springframework.web.client.RestTemplate;

@EnableWebSecurity
//@EnableOAuth2Client
public class OAuth2ResourceServerSecurityConfiguration extends WebSecurityConfigurerAdapter {
//    @Autowired
//    OAuth2ResourceServerProperties oAuth2ResourceServerProperties;
    @Autowired
    RestTemplate restTemplate;
    @Autowired
    GatewayProperties gatewayProperties;
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // @formatter:off
        http
//                .requestMatchers()
//                .antMatchers("/favicon.ico")
//                .and()
                .csrf().disable()
                .authorizeRequests()
                .antMatchers("/favicon.ico","/error","/actuator/**","/prometheus").permitAll()
                .antMatchers("/message/**").hasAuthority("SCOPE_resource:read")
//                .antMatchers("/whoami/**").hasAuthority("SCOPE_user_info")
                .antMatchers("/whoami/**").hasRole("USER")
                .antMatchers("/api-demo/**").hasRole("USER")
                .antMatchers("/api-*/**").hasAuthority("SCOPE_user_info")
                .antMatchers("/**/swagger-resources/**","/**/v2/api-docs/**","/swagger-ui.html","/doc.html","/webjars/**").permitAll()
                .withObjectPostProcessor(new MyObjectPostProcessor())
                .anyRequest()
                .authenticated()
                .and()
                .oauth2ResourceServer()
//                .oauth2Login()
//                .successHandler(new CustomAuthenticationSuccessHandler())
//                .and()
////                .bearerTokenResolver(new DefaultBearerTokenResolver())
//
                .jwt()
        ;
        // @formatter:on
    }

    private class MyObjectPostProcessor implements ObjectPostProcessor<FilterSecurityInterceptor> {

        @Override
        public <O extends FilterSecurityInterceptor> O postProcess(O fsi) {
            fsi.setSecurityMetadataSource(new CustomSecurityMetadataSource(gatewayProperties,restTemplate,fsi.getSecurityMetadataSource()));
            AffirmativeBased affirmativeBased = (AffirmativeBased) fsi.getAccessDecisionManager();
            affirmativeBased.getDecisionVoters().add(new ExpressionVoter(restTemplate));
            return fsi;
        }
    }

//    @Bean
//    JwtDecoder jwtDecoder() {
//        NimbusJwtDecoderJwkSupport jwtDecoder = new NimbusJwtDecoderJwkSupport(oAuth2ResourceServerProperties.getJwt().getJwkSetUri());
////        OAuth2TokenValidator<Jwt> tokenBlackListValidator = new TokenBlackListValidator();
////        JwtTimestampValidator timestampValidator = new JwtTimestampValidator();
////        OAuth2TokenValidator<Jwt> delegatingOAuth2TokenValidator = new DelegatingOAuth2TokenValidator<>(tokenBlackListValidator, timestampValidator);
////        jwtDecoder.setJwtValidator(delegatingOAuth2TokenValidator);
//        return jwtDecoder;
//    }
}
